Community discussions

MikroTik App
 
Bpmcgee
just joined
Topic Author
Posts: 4
Joined: Tue May 09, 2023 5:49 am

Quick setup “Home AP Dual” question

Tue May 09, 2023 5:55 am

Hi,

New RB4011 setup here. I want to allow a guest network with only internet access. Setting up both private and guest networks is fine, but I notice that the guest network has access to WebFig on the router. This seems like a security gap?

What’s the best way to eliminate this?

B
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Quick setup “Home AP Dual” question

Tue May 09, 2023 12:03 pm

Quickset does not provide such security differentiation options. The Guest network is just another wireless name with the only difference that you don't have to tell the guests your WiFi password. There are no other security mechanisms in place. For that you have to manually set up other settings.
 
Bpmcgee
just joined
Topic Author
Posts: 4
Joined: Tue May 09, 2023 5:49 am

Re: Quick setup “Home AP Dual” question

Tue May 09, 2023 1:58 pm

Understood,

What are those steps?
 
h1ghrise
just joined
Posts: 19
Joined: Fri Apr 14, 2023 5:05 pm

Re: Quick setup “Home AP Dual” question

Tue May 09, 2023 11:24 pm

Adjust firewall rules appropriately:
- Allow only defined devices/subnets access to router services (input chain)
- block everything else (whitelist approach)

--> viewtopic.php?t=180838
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Quick setup “Home AP Dual” question

Wed May 10, 2023 11:08 am

That's a good thread, but a bit broad for this question.

Maybe somebody else can suggest another thread, but you could set up two DHCP Pools, one for the main AP, other for the Guest AP, then use firewall to separate the IP subnets like this:
https://help.mikrotik.com/docs/display/ ... n+Wireless

Good idea for a MikroTik Youtube channel video. Will make it.
 
Bpmcgee
just joined
Topic Author
Posts: 4
Joined: Tue May 09, 2023 5:49 am

Re: Quick setup “Home AP Dual” question

Wed May 10, 2023 4:23 pm

@normis,

Thanks! If the purpose of "QuickFig" is to help out those of us not as comfortable with RouterOS config, I have a suggestion. Right now configuring a guest network with no shared key has the silent side-effect of making your private network more vulnerable. A checkbox like "Limit Guest Network to Internet" or "Allow Guest Network to Access Private Network" would make it more clear to newbs like myself that there's a decision to be made, and could automate this process.

I'll visit your thread and try to work through it,

Brian
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Quick setup “Home AP Dual” question

Wed May 10, 2023 4:53 pm

One thing I did not write correctly, Guest mode right now denies communication between connected Wireless users. So there is at least that level of security.
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Posts: 702
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Quick setup “Home AP Dual” question

Wed May 10, 2023 5:27 pm

One thing I did not write correctly, Guest mode right now denies communication between connected Wireless users. So there is at least that level of security.
I believe what he was saying is that Guest mode should include a rule that denies all traffic !out-interface=wan, and also in-interface=lan & out-interface=guest so that the guest network is unable to access the LAN side of the customer network.

Also something that I would appreciate seeing implemented as I recently had an issue where someone tried to enable the guest network and realized that it didn't restrict access to the LAN.

Who is online

Users browsing this forum: dinosgb and 57 guests